Jump to content

Pup infection keeps coming back, fear I have remote attack/tracking beacons


Recommended Posts

  • Replies 67
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Posted Images

Hi,

frst.pngfrstscan.png

Start FRST with administator privileges.

  • Make sure the following option is checked: addition.png
  • Press the Scan button.
  • When finished, FRST will produce two logs (FRST.txt and Addition.txt) in the same directory the tool was run from.

    Please copy and paste these logs in your next reply.

Link to post
Share on other sites

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version:31-07-2014 01

Ran by McMillan (administrator) on SAHARA-PC on 01-08-2014 19:04:31

Running from C:\Users\McMillan\Desktop

Platform: Microsoft Windows 7 Home Basic  Service Pack 1 (X86) OS Language: English (United States)

Internet Explorer Version 11

Boot Mode: Normal

 

The only official download link for FRST:



Download link from any site other than Bleeping Computer is unpermitted or outdated.


 

==================== Processes (Whitelisted) =================

 

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

 

(Emsisoft GmbH) C:\Program Files\Emsisoft Anti-Malware\a2service.exe

(Emsisoft GmbH) C:\Program Files\Emsisoft Anti-Malware\a2guard.exe

(Oracle Corporation) C:\Program Files\Common Files\Java\Java Update\jusched.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Microsoft Corporation) C:\Windows\System32\wuauclt.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

(Google Inc.) C:\Program Files\Google\Chrome\Application\chrome.exe

 

 

==================== Registry (Whitelisted) ==================

 

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

 

HKU\S-1-5-19\...\Run: [sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

HKU\S-1-5-20\...\Run: [sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun

HKU\S-1-5-21-2454762815-89852866-1431263164-1000\...\MountPoints2: {525512c7-f299-11e3-b032-806e6f6e6963} - D:\setup.exe

BootExecute: autocheck autochk * regdefrag

 

==================== Internet (Whitelisted) ====================

 

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

 

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://ph.msn.com/?rd=1&ucc=PH&dcc=PH&opt=0&ocid=iehp

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 0x40B9BCAD2B86CF01

HKCU\Software\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us

SearchScopes: HKCU - DefaultScope {E5F8506C-6220-48CE-AF75-8BBC691CDBFC} URL = https://www.google.com/search?q={searchTerms}

SearchScopes: HKCU - {E5F8506C-6220-48CE-AF75-8BBC691CDBFC} URL = https://www.google.com/search?q={searchTerms}

BHO: Java Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)

BHO: Java Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)

Hosts: 127.0.0.1 localhost

Tcpip\Parameters: [DhcpNameServer] 192.168.1.1

 

FireFox:

========

FF Plugin: @adobe.com/FlashPlayer - C:\Windows\system32\Macromed\Flash\NPSWF32_14_0_0_145.dll ()

FF Plugin: @java.com/DTPlugin,version=10.65.2 - C:\Program Files\Java\jre7\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)

FF Plugin: @java.com/JavaPlugin,version=10.65.2 - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

FF Plugin: @Microsoft.com/NpCtrl,version=1.0 - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)

FF Plugin: @nvidia.com/3DVision - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)

FF Plugin: @nvidia.com/3DVisionStreaming - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)

FF Plugin: @tools.google.com/Google Update;version=3 - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: @tools.google.com/Google Update;version=9 - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

FF Plugin: @videolan.org/vlc,version=2.1.3 - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)

FF HKCU\...\Firefox\Extensions: [freegames4357@BestOffers] - C:\Users\McMillan\AppData\Roaming\Mozilla\Extensions\freegames4357@BestOffers

 

Chrome: 

=======


CHR StartupUrls: "hxxp://www.gmail.com/"

CHR Plugin: (Widevine Content Decryption Module) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\WidevineCDM\1.4.4.600\_platform_specific\win_x86\widevinecdmadapter.dll ()

CHR Plugin: (Shockwave Flash) - C:\Program Files\Google\Chrome\Application\36.0.1985.125\PepperFlash\pepflashplayer.dll No File

CHR Plugin: (Chrome Remote Desktop Viewer) - internal-remoting-viewer

CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\36.0.1985.125\ppGoogleNaClPluginChrome.dll ()

CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\36.0.1985.125\pdf.dll ()

CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.24.15\npGoogleUpdate3.dll (Google Inc.)

CHR Plugin: (Java Platform SE 7 U21) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)

CHR Plugin: (Silverlight Plug-In) - C:\Program Files\Microsoft Silverlight\5.1.30214.0\npctrl.dll ( Microsoft Corporation)

CHR Plugin: (NVIDIA 3D Vision) - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dv.dll (NVIDIA Corporation)

CHR Plugin: (NVIDIA 3D VISION) - C:\Program Files\NVIDIA Corporation\3D Vision\npnv3dvstreaming.dll (NVIDIA Corporation)

CHR Plugin: (VLC Web Plugin) - C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)

CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_14_0_0_145.dll ()

CHR Plugin: (Java Deployment Toolkit 7.0.210.11) - C:\Windows\system32\npDeployJava1.dll No File

CHR Extension: (Google Drive) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2014-07-25]

CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-07-31]

CHR Extension: (Presentme) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ckpbiomcikhplplfddlbcikdhlnoibgf [2014-07-31]

CHR Extension: (Google Search) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2014-07-25]

CHR Extension: (Gmail Offline) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\ejidjjhkpiempkbhmpbfngldlkglhimk [2014-07-28]

CHR Extension: (PDF Mergy) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\hgecghmkcdefnknohcimkoemhaofpoha [2014-07-31]

CHR Extension: (Excel Online) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\iljnkagajgfdmfnnidjijobijlfjfgnb [2014-07-28]

CHR Extension: (Zoho Sheet) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\jhegddohmncgelkehhnigphmloinkinj [2014-07-31]

CHR Extension: (Zoho CRM) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\kigppphkaknhndejgcmckacpipcioacn [2014-07-31]

CHR Extension: (Skype Status Detector) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\liiiaejmgghgpmppnkiloijccihddjdj [2014-07-31]

CHR Extension: (Lazarus: Form Recovery) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\loljledaigphbcpfhfmgopdkppkifgno [2014-07-28]

CHR Extension: (Easy SEO Tools) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\mnlboglefdlldiioafkgbbdfihdoicam [2014-07-31]

CHR Extension: (Google Wallet) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2014-07-31]

CHR Extension: (Instagram for Chrome) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\opnbmdkdflhjiclaoiiifmheknpccalb [2014-07-31]

CHR Extension: (Gmail) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2014-07-25]

CHR Extension: (SEO Competitor Analysis Tool) - C:\Users\McMillan\AppData\Local\Google\Chrome\User Data\Default\Extensions\pnpafbknegcefgoojplahellhohoklbj [2014-07-31]

 

========================== Services (Whitelisted) =================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R2 a2AntiMalware; C:\Program Files\Emsisoft Anti-Malware\a2service.exe [4741384 2014-07-09] (Emsisoft GmbH)

S3 NvNetworkService; C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe [1617696 2014-05-01] (NVIDIA Corporation)

S3 NvStreamSvc; C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe [19702048 2014-05-01] (NVIDIA Corporation)

 

==================== Drivers (Whitelisted) ====================

 

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

 

R3 a2acc; C:\PROGRAM FILES\EMSISOFT ANTI-MALWARE\a2accx86.sys [58200 2014-05-12] (Emsisoft GmbH)

R1 A2DDA; C:\Program Files\Emsisoft Anti-Malware\a2ddax86.sys [22056 2013-03-28] (Emsisoft GmbH)

R1 a2injectiondriver; C:\Program Files\Emsisoft Anti-Malware\a2dix86.sys [38248 2013-09-30] (Emsisoft GmbH)

R1 a2util; C:\Program Files\Emsisoft Anti-Malware\a2util32.sys [18552 2014-05-12] (Emsisoft GmbH)

R3 cleanhlp; C:\Program Files\Emsisoft Anti-Malware\cleanhlp32.sys [50200 2013-12-04] (Emsisoft GmbH)

R3 MTsensor; C:\Windows\System32\DRIVERS\ASACPI.sys [5810 2004-08-13] ()

S3 NvStreamKms; C:\Program Files\NVIDIA Corporation\NvStreamSrv\NvStreamKms.sys [17240 2014-05-01] (NVIDIA Corporation)

R3 nvvad_WaveExtensible; C:\Windows\System32\drivers\nvvad32v.sys [34080 2014-04-01] (NVIDIA Corporation)

S4 NVHDA; system32\drivers\nvhda32v.sys [X]

 

==================== NetSvcs (Whitelisted) ===================

 

 

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

 

 

==================== One Month Created Files and Folders ========

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-08-01 19:04 - 2014-08-01 19:04 - 00010441 _____ () C:\Users\McMillan\Desktop\FRST.txt

2014-08-01 07:57 - 2014-08-01 07:57 - 00000000 ____D () C:\Users\McMillan\Desktop\New folder

2014-08-01 07:09 - 2014-08-01 07:10 - 00057843 _____ () C:\Users\McMillan\Downloads\fport.zip

2014-08-01 06:18 - 2014-08-01 06:18 - 00046655 _____ () C:\Users\McMillan\Desktop\FRSTafterimanuallystartedcrypto.txt

2014-08-01 06:18 - 2014-08-01 06:18 - 00000011 _____ () C:\Users\McMillan\Desktop\command.bat

2014-08-01 05:51 - 2014-08-01 05:51 - 00046588 _____ () C:\Users\McMillan\Desktop\FRSTaftermicrosoftFIX.txt

2014-08-01 05:46 - 2014-08-01 05:46 - 00683008 _____ () C:\Users\McMillan\Desktop\MicrosoftFixit50671.msi

2014-08-01 05:39 - 2014-08-01 05:39 - 00045992 _____ () C:\Users\McMillan\Desktop\FRSTAFTERjorgensfix.txt

2014-08-01 04:14 - 2014-08-01 04:14 - 00016012 _____ () C:\Users\McMillan\Desktop\Addition4.txt

2014-08-01 04:13 - 2014-08-01 06:10 - 00046655 _____ () C:\Users\McMillan\Desktop\FRST4.txt

2014-08-01 04:03 - 2014-08-01 04:03 - 00015821 _____ () C:\Users\McMillan\Desktop\Addition3.txt

2014-08-01 04:02 - 2014-08-01 04:03 - 00045339 _____ () C:\Users\McMillan\Desktop\FRST3.txt

2014-08-01 02:02 - 2014-08-01 02:02 - 00136409 _____ () C:\Users\McMillan\Desktop\events that started it all.txt

2014-07-31 21:05 - 2014-07-31 21:30 - 00015685 _____ () C:\Users\McMillan\Desktop\Addition2.txt

2014-07-31 21:04 - 2014-07-31 21:05 - 00046684 _____ () C:\Users\McMillan\Desktop\FRST2.txt

2014-07-31 20:41 - 2014-07-31 20:41 - 00000000 ____D () C:\Program Files\Common Files\Java

2014-07-31 20:41 - 2014-07-31 20:40 - 00272808 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe

2014-07-31 20:40 - 2014-07-31 20:40 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe

2014-07-31 20:40 - 2014-07-31 20:40 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\java.exe

2014-07-31 20:40 - 2014-07-31 20:40 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll

2014-07-31 20:40 - 2014-07-31 20:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java

2014-07-31 20:36 - 2014-07-31 20:36 - 00918952 _____ (Oracle Corporation) C:\Users\McMillan\Downloads\chromeinstall-7u65.exe

2014-07-31 20:18 - 2014-07-31 20:19 - 00259112 _____ () C:\Windows\system32\FNTCACHE.DAT

2014-07-31 20:18 - 2014-07-31 20:18 - 00000588 _____ () C:\Windows\PFRO.log

2014-07-31 20:15 - 2014-07-31 20:15 - 00415232 _____ (Farbar) C:\Users\McMillan\Downloads\FarbarServiceScannerDSLissues.exe

2014-07-31 20:10 - 2014-07-31 20:10 - 00000000 ____D () C:\ProgramData\Emsisoft

2014-07-31 19:32 - 2014-07-31 19:32 - 00001049 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk

2014-07-31 19:32 - 2014-07-31 19:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware

2014-07-31 19:31 - 2014-08-01 18:15 - 00000000 ____D () C:\Program Files\Emsisoft Anti-Malware

2014-07-31 19:13 - 2014-07-31 19:23 - 215880376 _____ (Emsisoft GmbH ) C:\Users\McMillan\Desktop\EmsisoftAntiMalwareSetup.exe

2014-07-31 17:13 - 2014-07-31 17:13 - 02347384 _____ (ESET) C:\Users\McMillan\Desktop\esetsmartinstaller_enu.exe

2014-07-31 16:53 - 2014-07-31 17:03 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2014-07-31 16:53 - 2014-07-31 16:53 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-07-31 16:53 - 2014-07-31 16:53 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-07-31 16:50 - 2014-07-31 17:03 - 00000000 ____D () C:\Users\McMillan\Desktop\mbar

2014-07-31 16:50 - 2014-07-31 16:50 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-07-31 16:49 - 2014-07-31 16:50 - 14349744 _____ (Malwarebytes Corp.) C:\Users\McMillan\Desktop\mbar-1.07.0.1012.exe

2014-07-31 16:14 - 2014-07-31 16:15 - 00042669 _____ () C:\Users\McMillan\Desktop\FRST1.txt

2014-07-31 16:14 - 2014-07-31 16:15 - 00014581 _____ () C:\Users\McMillan\Desktop\addition1 .txt

2014-07-31 16:13 - 2014-08-01 19:04 - 00000000 ____D () C:\FRST

2014-07-31 16:12 - 2014-07-31 16:12 - 01084928 _____ (Farbar) C:\Users\McMillan\Desktop\FRST.exe

2014-07-31 16:04 - 2014-07-31 16:04 - 00000000 ____D () C:\Users\McMillan\Downloads\testdickharddiskfixbootrecovery

2014-07-31 16:03 - 2014-07-31 16:03 - 00000000 ____D () C:\Users\McMillan\Downloads\TCPVIEW

2014-07-31 16:01 - 2014-07-31 16:03 - 00000000 ____D () C:\Users\McMillan\Downloads\ProcessExplorer

2014-07-31 15:52 - 2014-07-31 15:52 - 01942776 _____ (Bleeping Computer, LLC) C:\Users\McMillan\Downloads\rkill.com

2014-07-31 15:46 - 2014-07-31 15:57 - 233663808 _____ (Emsisoft GmbH ) C:\Users\McMillan\Downloads\EmsisoftAntiMalwareSetup.exe

2014-07-31 15:38 - 2014-07-31 15:38 - 01402880 _____ () C:\Users\McMillan\Downloads\HiJackThis.msi

2014-07-31 13:35 - 2014-07-31 13:35 - 00000000 ____H () C:\Users\McMillan\Documents\Default.rdp

2014-07-31 12:15 - 2014-07-31 12:15 - 00058016 _____ () C:\Users\McMillan\AppData\Local\GDIPFONTCACHEV1.DAT

2014-07-31 10:32 - 2014-07-31 10:32 - 01156136 _____ (Ruiware) C:\Users\McMillan\Downloads\winpatrolstartupPrograms.exe

2014-07-31 10:26 - 2014-07-31 10:27 - 00688992 _____ (Swearware) C:\Users\McMillan\Downloads\ddsscancompfindoutwhatswrong.scr

2014-07-31 10:13 - 2014-07-31 15:58 - 00000000 ____D () C:\Users\McMillan\Downloads\GrantPerms

2014-07-31 10:11 - 2014-07-31 10:11 - 00401920 _____ (Farbar) C:\Users\McMillan\Downloads\MiniToolBoxinternetissueshijacking.exe

2014-07-31 10:10 - 2014-07-31 10:10 - 01084928 _____ (Farbar) C:\Users\McMillan\Downloads\Farbarrecoveryscantool.exe

2014-07-31 09:40 - 2014-07-31 09:41 - 01361309 _____ () C:\Users\McMillan\Downloads\adwcleaner_3.302.exe

2014-07-31 09:40 - 2014-07-31 09:40 - 00709564 _____ () C:\Users\McMillan\Downloads\delfix2useafterdisinfection10.8.exe

2014-07-31 09:36 - 2014-07-31 09:36 - 00695920 _____ (RaMMicHaeL) C:\Users\McMillan\Downloads\unchecky_setup.exe

2014-07-31 09:35 - 2014-07-31 09:35 - 00914016 _____ (Foolish IT LLC ) C:\Users\McMillan\Downloads\CryptoPreventSetup.exe

2014-07-31 09:33 - 2014-07-31 09:33 - 02650408 _____ (Malwarebytes ) C:\Users\McMillan\Downloads\Mbytes Anit Exploit-setup-1.03.1.1220.exe

2014-07-31 09:32 - 2014-07-31 09:33 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\McMillan\Downloads\mbam-setup-2.0.2.1012.exe

2014-07-31 09:31 - 2014-07-31 09:31 - 00448512 _____ (OldTimer Tools) C:\Users\McMillan\Downloads\TFCremoveALLtempfiles.exe

2014-07-31 09:29 - 2014-07-31 09:29 - 02856736 _____ (MyCity) C:\Users\McMillan\Downloads\MCShield-Setup.exe

2014-07-31 08:50 - 2014-07-31 08:50 - 05563986 _____ (Swearware) C:\Users\McMillan\Downloads\ComboFix.exe

2014-07-31 08:49 - 2014-07-31 08:49 - 00368256 _____ (RegNow.com) C:\Users\McMillan\Downloads\Download_MaxSDDMnew.exe

2014-07-31 08:35 - 2014-07-31 08:35 - 00442464 _____ (Kaspersky Lab ZAO) C:\Users\McMillan\Downloads\capperkiller.exe

2014-07-31 08:33 - 2014-07-31 08:33 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\McMillan\Downloads\tdsskiller malware virus removal.exe

2014-07-31 08:32 - 2014-07-31 08:41 - 149623616 _____ () C:\Users\McMillan\Downloads\kasperskyvirusremoval.exe

2014-07-31 08:12 - 2014-07-31 08:12 - 00001930 _____ () C:\Windows\hiveList.dat

2014-07-31 08:12 - 2014-07-31 08:12 - 00000004 _____ () C:\Windows\CSCCompactState

2014-07-31 08:08 - 2014-07-31 08:08 - 00000000 ____D () C:\Program Files\COMODO

2014-07-31 07:52 - 2014-08-01 18:11 - 00001028 _____ () C:\Windows\setupact.log

2014-07-31 07:52 - 2014-07-31 07:52 - 00000000 _____ () C:\Windows\setuperr.log

2014-07-31 07:44 - 2014-08-01 19:02 - 00077211 _____ () C:\Windows\WindowsUpdate.log

2014-07-30 11:53 - 2014-07-30 11:55 - 14863480 _____ (Comodo Security Solutions, Inc.) C:\Users\McMillan\Downloads\comodregistrycleanerptsetup.exe

2014-07-30 11:53 - 2014-07-30 11:53 - 04813544 _____ (Piriform Ltd) C:\Users\McMillan\Downloads\cccleanrersetup416.exe

2014-07-30 11:50 - 2014-07-30 11:56 - 107934464 _____ (Microsoft Corporation) C:\Users\McMillan\Downloads\microsofts one time security tool.exe

2014-07-30 11:45 - 2014-07-30 11:46 - 19598528 _____ (SUPERAntiSpyware) C:\Users\McMillan\Downloads\SUPERAntiSpyware.exe

2014-07-30 11:40 - 2014-07-30 11:41 - 07222504 _____ (TweakNow.com ) C:\Users\McMillan\Downloads\tweaknowRegCleaner731.exe

2014-07-28 22:39 - 2014-07-28 22:54 - 00000000 ____D () C:\Users\McMillan\Desktop\BOB

2014-07-28 20:48 - 2014-07-28 20:48 - 00014398 _____ () C:\Users\McMillan\Desktop\chrome - Shortcut.lnk

2014-07-28 20:42 - 2014-07-28 20:45 - 00000000 ____D () C:\Program Files\Google

2014-07-25 03:18 - 2014-07-25 03:18 - 00024825 _____ () C:\Users\McMillan\Downloads\msg0001.WAV

2014-07-25 02:28 - 2014-07-25 02:28 - 00000000 _____ () C:\Users\McMillan\AppData\Local\{C9A256ED-41A5-49FE-959F-3AEA296345F8}

2014-07-25 02:03 - 2014-07-25 02:09 - 00000000 ____D () C:\Users\McMillan\msdt

2014-07-25 00:25 - 2014-07-30 15:59 - 00000000 ____D () C:\Users\McMillan\AppData\Local\CrashDumps

2014-07-24 18:05 - 2014-07-24 18:05 - 00000000 ____D () C:\Users\McMillan\AppData\Local\Bluestacks

2014-07-23 17:21 - 2014-07-23 17:21 - 00000000 __SHD () C:\Users\Butch\AppData\Local\EmieUserList

2014-07-23 17:21 - 2014-07-23 17:21 - 00000000 __SHD () C:\Users\Butch\AppData\Local\EmieSiteList

2014-07-23 16:06 - 2014-07-24 23:48 - 00000000 ____D () C:\Windows\system32\BlueStacks

2014-07-23 16:06 - 2014-07-23 16:06 - 00000000 ____D () C:\Users\Butch\AppData\Roaming\NVIDIA

2014-07-23 16:01 - 2014-07-23 16:01 - 00000000 ____D () C:\Users\Butch\AppData\Local\Bluestacks

2014-07-23 13:10 - 2014-07-25 02:24 - 00000000 ____D () C:\Users\Butch\AppData\Roaming\Skype

2014-07-23 13:10 - 2014-07-23 13:10 - 00000000 ____D () C:\Users\Butch\AppData\Local\Skype

2014-07-23 13:05 - 2014-07-31 14:30 - 00000000 ____D () C:\inetpub

2014-07-23 10:32 - 2014-07-23 13:04 - 00000000 ____D () C:\Users\Butch\AppData\Local\NVIDIA Corporation

2014-07-23 10:31 - 2014-07-23 10:31 - 00000000 ____D () C:\Users\Butch\AppData\Local\tjnet

2014-07-23 10:18 - 2014-07-23 10:26 - 00007654 _____ () C:\Users\Butch\AppData\Local\resmon.resmoncfg

2014-07-23 08:50 - 2014-07-25 02:24 - 00000000 ____D () C:\Users\McMillan\Desktop\Fix it portable

2014-07-23 06:49 - 2014-07-23 06:49 - 00000632 __RSH () C:\Users\McMillan\ntuser.pol

2014-07-04 16:25 - 2014-07-04 16:26 - 14349744 _____ (Malwarebytes Corp.) C:\Users\McMillan\Downloads\mbar-1.07.0.1012.exe

2014-07-04 13:44 - 2014-07-31 08:16 - 00035152 _____ () C:\Windows\system32\Drivers\TrueSight.sys

2014-07-04 13:44 - 2014-07-25 02:24 - 00000000 ____D () C:\ProgramData\RogueKiller

2014-07-04 13:30 - 2014-07-04 13:42 - 230403208 _____ (COMODO) C:\Users\McMillan\Downloads\cfw_installer_5732_83.exe

2014-07-04 13:18 - 2014-07-04 13:19 - 04721240 _____ () C:\Users\McMillan\Downloads\RogueKiller.exe

2014-07-04 11:09 - 2014-07-04 11:09 - 01291624 _____ (Baidu, Inc.) C:\Users\McMillan\Downloads\BavPro_Setup_Mini_GL.exe

2014-07-04 09:58 - 2014-07-04 09:58 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2014-07-03 19:07 - 2014-05-20 07:11 - 00603592 _____ (NVIDIA Corporation) C:\Windows\system32\nvStreaming.exe

2014-07-03 15:31 - 2014-07-03 15:31 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\dvdcss

2014-07-03 05:00 - 2014-07-30 00:41 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\Zoiper

2014-07-03 05:00 - 2014-07-25 02:24 - 00000000 ____D () C:\Program Files\Zoiper

2014-07-03 05:00 - 2014-07-03 05:00 - 00000955 _____ () C:\Users\McMillan\Desktop\Zoiper.lnk

2014-07-03 04:53 - 2014-07-31 20:41 - 00000000 ____D () C:\ProgramData\Oracle

2014-07-03 04:53 - 2014-07-03 04:53 - 00000000 ____D () C:\ProgramData\Sun

2014-07-03 04:52 - 2014-07-31 20:40 - 00000000 ____D () C:\Program Files\Java

 

==================== One Month Modified Files and Folders =======

 

(If an entry is included in the fixlist, the file\folder will be moved.)

 

2014-08-01 19:04 - 2014-08-01 19:04 - 00010441 _____ () C:\Users\McMillan\Desktop\FRST.txt

2014-08-01 19:04 - 2014-07-31 16:13 - 00000000 ____D () C:\FRST

2014-08-01 19:02 - 2014-07-31 07:44 - 00077211 _____ () C:\Windows\WindowsUpdate.log

2014-08-01 18:18 - 2009-07-14 12:34 - 00021664 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0

2014-08-01 18:18 - 2009-07-14 12:34 - 00021664 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0

2014-08-01 18:15 - 2014-07-31 19:31 - 00000000 ____D () C:\Program Files\Emsisoft Anti-Malware

2014-08-01 18:15 - 2010-11-21 05:01 - 00736438 _____ () C:\Windows\system32\PerfStringBackup.INI

2014-08-01 18:14 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\NDF

2014-08-01 18:11 - 2014-07-31 07:52 - 00001028 _____ () C:\Windows\setupact.log

2014-08-01 18:11 - 2009-07-14 12:53 - 00000006 ____H () C:\Windows\Tasks\SA.DAT

2014-08-01 07:57 - 2014-08-01 07:57 - 00000000 ____D () C:\Users\McMillan\Desktop\New folder

2014-08-01 07:10 - 2014-08-01 07:09 - 00057843 _____ () C:\Users\McMillan\Downloads\fport.zip

2014-08-01 06:18 - 2014-08-01 06:18 - 00046655 _____ () C:\Users\McMillan\Desktop\FRSTafterimanuallystartedcrypto.txt

2014-08-01 06:18 - 2014-08-01 06:18 - 00000011 _____ () C:\Users\McMillan\Desktop\command.bat

2014-08-01 06:10 - 2014-08-01 04:13 - 00046655 _____ () C:\Users\McMillan\Desktop\FRST4.txt

2014-08-01 06:03 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\registration

2014-08-01 05:51 - 2014-08-01 05:51 - 00046588 _____ () C:\Users\McMillan\Desktop\FRSTaftermicrosoftFIX.txt

2014-08-01 05:47 - 2009-07-14 12:53 - 00019240 _____ () C:\Windows\Tasks\SCHEDLGU.TXT

2014-08-01 05:46 - 2014-08-01 05:46 - 00683008 _____ () C:\Users\McMillan\Desktop\MicrosoftFixit50671.msi

2014-08-01 05:39 - 2014-08-01 05:39 - 00045992 _____ () C:\Users\McMillan\Desktop\FRSTAFTERjorgensfix.txt

2014-08-01 04:14 - 2014-08-01 04:14 - 00016012 _____ () C:\Users\McMillan\Desktop\Addition4.txt

2014-08-01 04:03 - 2014-08-01 04:03 - 00015821 _____ () C:\Users\McMillan\Desktop\Addition3.txt

2014-08-01 04:03 - 2014-08-01 04:02 - 00045339 _____ () C:\Users\McMillan\Desktop\FRST3.txt

2014-08-01 02:02 - 2014-08-01 02:02 - 00136409 _____ () C:\Users\McMillan\Desktop\events that started it all.txt

2014-07-31 21:57 - 2014-06-13 01:01 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\vlc

2014-07-31 21:30 - 2014-07-31 21:05 - 00015685 _____ () C:\Users\McMillan\Desktop\Addition2.txt

2014-07-31 21:05 - 2014-07-31 21:04 - 00046684 _____ () C:\Users\McMillan\Desktop\FRST2.txt

2014-07-31 20:41 - 2014-07-31 20:41 - 00000000 ____D () C:\Program Files\Common Files\Java

2014-07-31 20:41 - 2014-07-03 04:53 - 00000000 ____D () C:\ProgramData\Oracle

2014-07-31 20:40 - 2014-07-31 20:41 - 00272808 _____ (Oracle Corporation) C:\Windows\system32\javaws.exe

2014-07-31 20:40 - 2014-07-31 20:40 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\javaw.exe

2014-07-31 20:40 - 2014-07-31 20:40 - 00175528 _____ (Oracle Corporation) C:\Windows\system32\java.exe

2014-07-31 20:40 - 2014-07-31 20:40 - 00096680 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge.dll

2014-07-31 20:40 - 2014-07-31 20:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java

2014-07-31 20:40 - 2014-07-03 04:52 - 00000000 ____D () C:\Program Files\Java

2014-07-31 20:36 - 2014-07-31 20:36 - 00918952 _____ (Oracle Corporation) C:\Users\McMillan\Downloads\chromeinstall-7u65.exe

2014-07-31 20:19 - 2014-07-31 20:18 - 00259112 _____ () C:\Windows\system32\FNTCACHE.DAT

2014-07-31 20:18 - 2014-07-31 20:18 - 00000588 _____ () C:\Windows\PFRO.log

2014-07-31 20:15 - 2014-07-31 20:15 - 00415232 _____ (Farbar) C:\Users\McMillan\Downloads\FarbarServiceScannerDSLissues.exe

2014-07-31 20:10 - 2014-07-31 20:10 - 00000000 ____D () C:\ProgramData\Emsisoft

2014-07-31 19:32 - 2014-07-31 19:32 - 00001049 _____ () C:\Users\Public\Desktop\Emsisoft Anti-Malware.lnk

2014-07-31 19:32 - 2014-07-31 19:32 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Emsisoft Anti-Malware

2014-07-31 19:23 - 2014-07-31 19:13 - 215880376 _____ (Emsisoft GmbH ) C:\Users\McMillan\Desktop\EmsisoftAntiMalwareSetup.exe

2014-07-31 17:18 - 2014-06-13 01:03 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\Skype

2014-07-31 17:13 - 2014-07-31 17:13 - 02347384 _____ (ESET) C:\Users\McMillan\Desktop\esetsmartinstaller_enu.exe

2014-07-31 17:03 - 2014-07-31 16:53 - 00000000 ____D () C:\ProgramData\Malwarebytes' Anti-Malware (portable)

2014-07-31 17:03 - 2014-07-31 16:50 - 00000000 ____D () C:\Users\McMillan\Desktop\mbar

2014-07-31 16:53 - 2014-07-31 16:53 - 00113880 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys

2014-07-31 16:53 - 2014-07-31 16:53 - 00000000 ____D () C:\ProgramData\Malwarebytes

2014-07-31 16:50 - 2014-07-31 16:50 - 00075480 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys

2014-07-31 16:50 - 2014-07-31 16:49 - 14349744 _____ (Malwarebytes Corp.) C:\Users\McMillan\Desktop\mbar-1.07.0.1012.exe

2014-07-31 16:15 - 2014-07-31 16:14 - 00042669 _____ () C:\Users\McMillan\Desktop\FRST1.txt

2014-07-31 16:15 - 2014-07-31 16:14 - 00014581 _____ () C:\Users\McMillan\Desktop\addition1 .txt

2014-07-31 16:13 - 2014-06-13 01:05 - 00000000 ___RD () C:\Users\McMillan\Desktop\Steve

2014-07-31 16:12 - 2014-07-31 16:12 - 01084928 _____ (Farbar) C:\Users\McMillan\Desktop\FRST.exe

2014-07-31 16:04 - 2014-07-31 16:04 - 00000000 ____D () C:\Users\McMillan\Downloads\testdickharddiskfixbootrecovery

2014-07-31 16:03 - 2014-07-31 16:03 - 00000000 ____D () C:\Users\McMillan\Downloads\TCPVIEW

2014-07-31 16:03 - 2014-07-31 16:01 - 00000000 ____D () C:\Users\McMillan\Downloads\ProcessExplorer

2014-07-31 15:58 - 2014-07-31 10:13 - 00000000 ____D () C:\Users\McMillan\Downloads\GrantPerms

2014-07-31 15:57 - 2014-07-31 15:46 - 233663808 _____ (Emsisoft GmbH ) C:\Users\McMillan\Downloads\EmsisoftAntiMalwareSetup.exe

2014-07-31 15:52 - 2014-07-31 15:52 - 01942776 _____ (Bleeping Computer, LLC) C:\Users\McMillan\Downloads\rkill.com

2014-07-31 15:38 - 2014-07-31 15:38 - 01402880 _____ () C:\Users\McMillan\Downloads\HiJackThis.msi

2014-07-31 14:30 - 2014-07-23 13:05 - 00000000 ____D () C:\inetpub

2014-07-31 13:35 - 2014-07-31 13:35 - 00000000 ____H () C:\Users\McMillan\Documents\Default.rdp

2014-07-31 12:15 - 2014-07-31 12:15 - 00058016 _____ () C:\Users\McMillan\AppData\Local\GDIPFONTCACHEV1.DAT

2014-07-31 10:32 - 2014-07-31 10:32 - 01156136 _____ (Ruiware) C:\Users\McMillan\Downloads\winpatrolstartupPrograms.exe

2014-07-31 10:27 - 2014-07-31 10:26 - 00688992 _____ (Swearware) C:\Users\McMillan\Downloads\ddsscancompfindoutwhatswrong.scr

2014-07-31 10:11 - 2014-07-31 10:11 - 00401920 _____ (Farbar) C:\Users\McMillan\Downloads\MiniToolBoxinternetissueshijacking.exe

2014-07-31 10:10 - 2014-07-31 10:10 - 01084928 _____ (Farbar) C:\Users\McMillan\Downloads\Farbarrecoveryscantool.exe

2014-07-31 09:41 - 2014-07-31 09:40 - 01361309 _____ () C:\Users\McMillan\Downloads\adwcleaner_3.302.exe

2014-07-31 09:40 - 2014-07-31 09:40 - 00709564 _____ () C:\Users\McMillan\Downloads\delfix2useafterdisinfection10.8.exe

2014-07-31 09:36 - 2014-07-31 09:36 - 00695920 _____ (RaMMicHaeL) C:\Users\McMillan\Downloads\unchecky_setup.exe

2014-07-31 09:35 - 2014-07-31 09:35 - 00914016 _____ (Foolish IT LLC ) C:\Users\McMillan\Downloads\CryptoPreventSetup.exe

2014-07-31 09:33 - 2014-07-31 09:33 - 02650408 _____ (Malwarebytes ) C:\Users\McMillan\Downloads\Mbytes Anit Exploit-setup-1.03.1.1220.exe

2014-07-31 09:33 - 2014-07-31 09:32 - 17292760 _____ (Malwarebytes Corporation ) C:\Users\McMillan\Downloads\mbam-setup-2.0.2.1012.exe

2014-07-31 09:31 - 2014-07-31 09:31 - 00448512 _____ (OldTimer Tools) C:\Users\McMillan\Downloads\TFCremoveALLtempfiles.exe

2014-07-31 09:29 - 2014-07-31 09:29 - 02856736 _____ (MyCity) C:\Users\McMillan\Downloads\MCShield-Setup.exe

2014-07-31 08:50 - 2014-07-31 08:50 - 05563986 _____ (Swearware) C:\Users\McMillan\Downloads\ComboFix.exe

2014-07-31 08:49 - 2014-07-31 08:49 - 00368256 _____ (RegNow.com) C:\Users\McMillan\Downloads\Download_MaxSDDMnew.exe

2014-07-31 08:41 - 2014-07-31 08:32 - 149623616 _____ () C:\Users\McMillan\Downloads\kasperskyvirusremoval.exe

2014-07-31 08:35 - 2014-07-31 08:35 - 00442464 _____ (Kaspersky Lab ZAO) C:\Users\McMillan\Downloads\capperkiller.exe

2014-07-31 08:33 - 2014-07-31 08:33 - 04181856 _____ (Kaspersky Lab ZAO) C:\Users\McMillan\Downloads\tdsskiller malware virus removal.exe

2014-07-31 08:16 - 2014-07-04 13:44 - 00035152 _____ () C:\Windows\system32\Drivers\TrueSight.sys

2014-07-31 08:12 - 2014-07-31 08:12 - 00001930 _____ () C:\Windows\hiveList.dat

2014-07-31 08:12 - 2014-07-31 08:12 - 00000004 _____ () C:\Windows\CSCCompactState

2014-07-31 08:08 - 2014-07-31 08:08 - 00000000 ____D () C:\Program Files\COMODO

2014-07-31 08:00 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\LogFiles

2014-07-31 07:52 - 2014-07-31 07:52 - 00000000 _____ () C:\Windows\setuperr.log

2014-07-31 07:42 - 2014-06-15 14:27 - 00000000 ____D () C:\ProgramData\NVIDIA

2014-07-31 07:03 - 2009-07-14 12:52 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games

2014-07-31 07:03 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\spool

2014-07-31 06:38 - 2014-06-15 14:29 - 00000000 ____D () C:\Users\McMillan\AppData\Local\NVIDIA Corporation

2014-07-31 06:36 - 2014-06-12 18:35 - 00000000 ____D () C:\Users\McMillan

2014-07-31 06:35 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\wfp

2014-07-31 06:34 - 2014-06-22 07:15 - 00000000 ____D () C:\Users\Butch

2014-07-31 06:34 - 2014-06-16 19:40 - 00000000 ____D () C:\Users\McMillan\AppData\Local\oDesk

2014-07-31 06:34 - 2014-06-16 19:07 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\mjusbsp

2014-07-31 00:58 - 2014-06-13 01:05 - 00000000 ____D () C:\Users\McMillan\Desktop\BD

2014-07-30 18:13 - 2014-06-16 19:29 - 00001001 _____ () C:\Users\McMillan\Desktop\magicJack.lnk

2014-07-30 18:13 - 2014-06-16 19:29 - 00000987 _____ () C:\Users\McMillan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\magicJack.lnk

2014-07-30 15:59 - 2014-07-25 00:25 - 00000000 ____D () C:\Users\McMillan\AppData\Local\CrashDumps

2014-07-30 15:59 - 2014-06-13 10:21 - 00000000 ____D () C:\Windows\Panther

2014-07-30 11:56 - 2014-07-30 11:50 - 107934464 _____ (Microsoft Corporation) C:\Users\McMillan\Downloads\microsofts one time security tool.exe

2014-07-30 11:55 - 2014-07-30 11:53 - 14863480 _____ (Comodo Security Solutions, Inc.) C:\Users\McMillan\Downloads\comodregistrycleanerptsetup.exe

2014-07-30 11:53 - 2014-07-30 11:53 - 04813544 _____ (Piriform Ltd) C:\Users\McMillan\Downloads\cccleanrersetup416.exe

2014-07-30 11:46 - 2014-07-30 11:45 - 19598528 _____ (SUPERAntiSpyware) C:\Users\McMillan\Downloads\SUPERAntiSpyware.exe

2014-07-30 11:41 - 2014-07-30 11:40 - 07222504 _____ (TweakNow.com ) C:\Users\McMillan\Downloads\tweaknowRegCleaner731.exe

2014-07-30 11:23 - 2009-07-14 10:37 - 00000000 ____D () C:\Program Files\Common Files\microsoft shared

2014-07-30 10:02 - 2014-06-16 21:37 - 00000000 ____D () C:\Users\McMillan\Desktop\Tanya

2014-07-30 00:41 - 2014-07-03 05:00 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\Zoiper

2014-07-28 22:54 - 2014-07-28 22:39 - 00000000 ____D () C:\Users\McMillan\Desktop\BOB

2014-07-28 20:48 - 2014-07-28 20:48 - 00014398 _____ () C:\Users\McMillan\Desktop\chrome - Shortcut.lnk

2014-07-28 20:45 - 2014-07-28 20:42 - 00000000 ____D () C:\Program Files\Google

2014-07-28 20:42 - 2014-06-12 18:48 - 00000000 ____D () C:\Users\McMillan\AppData\Local\Deployment

2014-07-28 05:55 - 2014-06-25 17:05 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\BitComet

2014-07-25 07:19 - 2014-06-20 23:00 - 00000000 ____D () C:\Users\McMillan\AppData\Local\PokerStars

2014-07-25 05:30 - 2014-06-22 00:52 - 00007627 _____ () C:\Users\McMillan\AppData\Local\Resmon.ResmonCfg

2014-07-25 05:30 - 2009-07-14 12:34 - 00064512 _____ () C:\Windows\system32\umstartup.etl

2014-07-25 03:18 - 2014-07-25 03:18 - 00024825 _____ () C:\Users\McMillan\Downloads\msg0001.WAV

2014-07-25 03:18 - 2014-06-13 00:27 - 00699056 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerApp.exe

2014-07-25 03:18 - 2014-06-13 00:27 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\system32\FlashPlayerCPLApp.cpl

2014-07-25 02:28 - 2014-07-25 02:28 - 00000000 _____ () C:\Users\McMillan\AppData\Local\{C9A256ED-41A5-49FE-959F-3AEA296345F8}

2014-07-25 02:26 - 2014-06-13 01:00 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\VideoLAN

2014-07-25 02:25 - 2014-06-17 09:48 - 00000000 ____D () C:\Windows\pss

2014-07-25 02:25 - 2014-06-13 17:49 - 00000000 ___SD () C:\Windows\system32\CompatTel

2014-07-25 02:25 - 2014-06-13 00:27 - 00000000 ____D () C:\Windows\system32\Macromed

2014-07-25 02:25 - 2009-07-14 10:37 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

2014-07-25 02:25 - 2009-07-14 10:37 - 00000000 ___RD () C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories

2014-07-25 02:25 - 2009-07-14 10:37 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

2014-07-25 02:25 - 2009-07-14 10:37 - 00000000 ___RD () C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories

2014-07-25 02:25 - 2009-07-14 10:37 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance

2014-07-25 02:25 - 2009-07-14 10:37 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories

2014-07-25 02:25 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\TAPI

2014-07-25 02:25 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\Msdtc

2014-07-25 02:25 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\security

2014-07-25 02:25 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\Microsoft.NET

2014-07-25 02:24 - 2014-07-23 13:10 - 00000000 ____D () C:\Users\Butch\AppData\Roaming\Skype

2014-07-25 02:24 - 2014-07-23 08:50 - 00000000 ____D () C:\Users\McMillan\Desktop\Fix it portable

2014-07-25 02:24 - 2014-07-04 13:44 - 00000000 ____D () C:\ProgramData\RogueKiller

2014-07-25 02:24 - 2014-07-03 05:00 - 00000000 ____D () C:\Program Files\Zoiper

2014-07-25 02:24 - 2014-07-01 02:20 - 00000000 ____D () C:\Users\McMillan\AppData\Local\join.me

2014-07-25 02:24 - 2014-06-24 20:11 - 00000000 ____D () C:\Users\Butch\AppData\Roaming\vlc

2014-07-25 02:24 - 2014-06-22 09:27 - 00000000 ____D () C:\Users\Butch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Google Chrome

2014-07-25 02:24 - 2014-06-22 07:15 - 00000000 ___RD () C:\Users\Butch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

2014-07-25 02:24 - 2014-06-22 07:15 - 00000000 ___RD () C:\Users\Butch\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories

2014-07-25 02:24 - 2014-06-21 01:01 - 00000000 ____D () C:\Program Files\Ringio

2014-07-25 02:24 - 2014-06-20 23:00 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PokerStars

2014-07-25 02:24 - 2014-06-20 22:59 - 00000000 ____D () C:\Program Files\PokerStars

2014-07-25 02:24 - 2014-06-16 19:40 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\oDesk

2014-07-25 02:24 - 2014-06-16 19:40 - 00000000 ____D () C:\Program Files\oDesk

2014-07-25 02:24 - 2014-06-16 19:29 - 00000000 ____D () C:\Users\McMillan\AppData\Local\magicJack

2014-07-25 02:24 - 2014-06-16 17:24 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\WinRAR

2014-07-25 02:24 - 2014-06-16 17:24 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WinRAR

2014-07-25 02:24 - 2014-06-16 17:14 - 00000000 ____D () C:\Program Files\WinRAR

2014-07-25 02:24 - 2014-06-16 02:09 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Microsoft Silverlight

2014-07-25 02:24 - 2014-06-16 02:09 - 00000000 ____D () C:\Program Files\Microsoft Silverlight

2014-07-25 02:24 - 2014-06-15 14:29 - 00000000 ____D () C:\Users\McMillan\AppData\Local\NVIDIA

2014-07-25 02:24 - 2014-06-15 14:28 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\NVIDIA Corporation

2014-07-25 02:24 - 2014-06-15 14:27 - 00000000 ____D () C:\ProgramData\NVIDIA Corporation

2014-07-25 02:24 - 2014-06-13 01:03 - 00000000 ___RD () C:\Program Files\Skype

2014-07-25 02:24 - 2014-06-13 01:03 - 00000000 ____D () C:\ProgramData\Skype

2014-07-25 02:24 - 2014-06-13 01:03 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype

2014-07-25 02:24 - 2014-06-12 18:48 - 00000000 ____D () C:\Users\McMillan\AppData\Local\Apps\2.0

2014-07-25 02:24 - 2014-06-12 18:38 - 00000000 ____D () C:\Program Files\NVIDIA Corporation

2014-07-25 02:24 - 2014-06-12 18:35 - 00000000 ___RD () C:\Users\McMillan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance

2014-07-25 02:24 - 2014-06-12 18:35 - 00000000 ___RD () C:\Users\McMillan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories

2014-07-25 02:24 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\Help

2014-07-25 02:24 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\AppCompat

2014-07-25 02:23 - 2011-04-12 10:16 - 00000000 ____D () C:\Windows\system32\winrm

2014-07-25 02:23 - 2011-04-12 10:16 - 00000000 ____D () C:\Windows\system32\WCN

2014-07-25 02:23 - 2011-04-12 10:16 - 00000000 ____D () C:\Windows\system32\slmgr

2014-07-25 02:23 - 2011-04-12 10:16 - 00000000 ____D () C:\Windows\system32\Printing_Admin_Scripts

2014-07-25 02:23 - 2009-07-14 12:52 - 00000000 ____D () C:\Windows\system32\WindowsPowerShell

2014-07-25 02:23 - 2009-07-14 12:52 - 00000000 ____D () C:\Windows\system32\WinBioPlugIns

2014-07-25 02:23 - 2009-07-14 10:37 - 00000000 ___HD () C:\Windows\system32\GroupPolicy

2014-07-25 02:23 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\Web

2014-07-25 02:23 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\Vss

2014-07-25 02:23 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\spp

2014-07-25 02:23 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\Speech

2014-07-25 02:23 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\SMI

2014-07-25 02:23 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\MUI

2014-07-25 02:23 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\inetsrv

2014-07-25 02:22 - 2009-07-14 12:52 - 00000000 ____D () C:\Windows\Performance

2014-07-25 02:22 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\IME

2014-07-25 02:22 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\system32\com

2014-07-25 02:22 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\Speech

2014-07-25 02:22 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\schemas

2014-07-25 02:22 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\Resources

2014-07-25 02:22 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\PLA

2014-07-25 02:21 - 2009-07-14 10:37 - 00000000 __RSD () C:\Windows\Media

2014-07-25 02:20 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\IME

2014-07-25 02:20 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\Globalization

2014-07-25 02:20 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\Branding

2014-07-25 02:19 - 2014-06-16 18:17 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\Macromedia

2014-07-25 02:19 - 2014-06-16 17:31 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\Moonchild Productions

2014-07-25 02:19 - 2014-06-15 13:49 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\Adobe

2014-07-25 02:19 - 2009-07-14 10:37 - 00000000 ___RD () C:\Users\Public

2014-07-25 02:18 - 2014-06-22 07:16 - 00000000 ____D () C:\Users\Butch\AppData\Local\Google

2014-07-25 02:18 - 2014-06-22 07:15 - 00000000 ____D () C:\Users\Butch\AppData\Roaming\Macromedia

2014-07-25 02:18 - 2014-06-21 01:01 - 00000000 ____D () C:\Users\Default\AppData\Roaming\Macromedia

2014-07-25 02:18 - 2014-06-21 01:01 - 00000000 ____D () C:\Users\Default User\AppData\Roaming\Macromedia

2014-07-25 02:18 - 2014-06-16 17:31 - 00000000 ____D () C:\Users\McMillan\AppData\Local\Moonchild Productions

2014-07-25 02:18 - 2014-06-13 01:03 - 00000000 ____D () C:\Users\McMillan\AppData\Local\Skype

2014-07-25 02:18 - 2014-06-13 01:00 - 00000000 ____D () C:\Program Files\VideoLAN

2014-07-25 02:18 - 2014-06-12 18:49 - 00000000 ____D () C:\Users\McMillan\AppData\Local\Google

2014-07-25 02:18 - 2009-07-14 12:52 - 00000000 ____D () C:\Program Files\Windows Photo Viewer

2014-07-25 02:18 - 2009-07-14 12:52 - 00000000 ____D () C:\Program Files\Windows Defender

2014-07-25 02:18 - 2009-07-14 10:37 - 00000000 __RHD () C:\Users\Default

2014-07-25 02:18 - 2009-07-14 10:37 - 00000000 ____D () C:\Program Files\Windows NT

2014-07-25 02:17 - 2014-06-21 01:01 - 00000000 ____D () C:\Program Files\Common Files\Adobe AIR

2014-07-25 02:17 - 2014-06-21 01:01 - 00000000 ____D () C:\Program Files\Adobe

2014-07-25 02:17 - 2009-07-14 12:52 - 00000000 ____D () C:\Program Files\DVD Maker

2014-07-25 02:17 - 2009-07-14 10:37 - 00000000 ____D () C:\Program Files\Common Files\System

2014-07-25 02:17 - 2009-07-14 10:37 - 00000000 ____D () C:\Program Files\Common Files\SpeechEngines

2014-07-25 02:09 - 2014-07-25 02:03 - 00000000 ____D () C:\Users\McMillan\msdt

2014-07-24 23:48 - 2014-07-23 16:06 - 00000000 ____D () C:\Windows\system32\BlueStacks

2014-07-24 18:05 - 2014-07-24 18:05 - 00000000 ____D () C:\Users\McMillan\AppData\Local\Bluestacks

2014-07-23 17:21 - 2014-07-23 17:21 - 00000000 __SHD () C:\Users\Butch\AppData\Local\EmieUserList

2014-07-23 17:21 - 2014-07-23 17:21 - 00000000 __SHD () C:\Users\Butch\AppData\Local\EmieSiteList

2014-07-23 16:06 - 2014-07-23 16:06 - 00000000 ____D () C:\Users\Butch\AppData\Roaming\NVIDIA

2014-07-23 16:01 - 2014-07-23 16:01 - 00000000 ____D () C:\Users\Butch\AppData\Local\Bluestacks

2014-07-23 13:10 - 2014-07-23 13:10 - 00000000 ____D () C:\Users\Butch\AppData\Local\Skype

2014-07-23 13:04 - 2014-07-23 10:32 - 00000000 ____D () C:\Users\Butch\AppData\Local\NVIDIA Corporation

2014-07-23 10:52 - 2014-06-12 19:03 - 00231584 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

2014-07-23 10:31 - 2014-07-23 10:31 - 00000000 ____D () C:\Users\Butch\AppData\Local\tjnet

2014-07-23 10:26 - 2014-07-23 10:18 - 00007654 _____ () C:\Users\Butch\AppData\Local\resmon.resmoncfg

2014-07-23 06:49 - 2014-07-23 06:49 - 00000632 __RSH () C:\Users\McMillan\ntuser.pol

2014-07-04 16:26 - 2014-07-04 16:25 - 14349744 _____ (Malwarebytes Corp.) C:\Users\McMillan\Downloads\mbar-1.07.0.1012.exe

2014-07-04 13:42 - 2014-07-04 13:30 - 230403208 _____ (COMODO) C:\Users\McMillan\Downloads\cfw_installer_5732_83.exe

2014-07-04 13:19 - 2014-07-04 13:18 - 04721240 _____ () C:\Users\McMillan\Downloads\RogueKiller.exe

2014-07-04 11:09 - 2014-07-04 11:09 - 01291624 _____ (Baidu, Inc.) C:\Users\McMillan\Downloads\BavPro_Setup_Mini_GL.exe

2014-07-04 10:44 - 2014-06-30 16:12 - 00000000 ____D () C:\Users\McMillan\Downloads\MOVIES

2014-07-04 09:58 - 2014-07-04 09:58 - 00000000 ____H () C:\Windows\system32\Drivers\Msft_User_WpdFs_01_09_00.Wdf

2014-07-03 15:31 - 2014-07-03 15:31 - 00000000 ____D () C:\Users\McMillan\AppData\Roaming\dvdcss

2014-07-03 15:29 - 2009-07-14 10:37 - 00000000 ____D () C:\Windows\rescache

2014-07-03 05:00 - 2014-07-03 05:00 - 00000955 _____ () C:\Users\McMillan\Desktop\Zoiper.lnk

2014-07-03 04:53 - 2014-07-03 04:53 - 00000000 ____D () C:\ProgramData\Sun

 

==================== Bamital & volsnap Check =================

 

(There is no automatic fix for files that do not pass verification.)

 

C:\Windows\explorer.exe => File is digitally signed

C:\Windows\system32\winlogon.exe => File is digitally signed

C:\Windows\system32\wininit.exe => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\system32\services.exe => File is digitally signed

C:\Windows\system32\User32.dll => File is digitally signed

C:\Windows\system32\userinit.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed

 

 

LastRegBack: 2014-07-29 01:56

 

==================== End Of Log ============================

 

and addition file

 

 


Additional scan result of Farbar Recovery Scan Tool (x86) Version:31-07-2014 01

Ran by McMillan at 2014-08-01 19:05:05

Running from C:\Users\McMillan\Desktop

Boot Mode: Normal

==========================================================

 

 

==================== Security Center ========================

 

(If an entry is included in the fixlist, it will be removed.)

 

AV: Emsisoft Anti-Malware (Enabled - Up to date) {8504DEEF-CC04-1F76-2137-F1A5F4A659DA}

AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

AS: Emsisoft Anti-Malware (Enabled - Up to date) {3E653F0B-EA3E-10F8-1B87-CAD78F211367}

 

==================== Installed Programs ======================

 

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

 

Adobe AIR (HKLM\...\Adobe AIR) (Version: 14.0.0.110 - Adobe Systems Incorporated)

Adobe AIR (Version: 14.0.0.110 - Adobe Systems Incorporated) Hidden

Adobe Flash Player 14 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 14.0.0.145 - Adobe Systems Incorporated)

Damn oDesk Team (HKCU\...\oDVT) (Version:  - oDesk Corporation)

Emsisoft Anti-Malware (HKLM\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft GmbH)

Google Chrome Bitch (HKLM\...\Google Chrome) (Version: 36.0.1985.125 - Google Inc.)

Google Update Helper (Version: 1.3.24.15 - Google Inc.) Hidden

Java 7 Update 65 (HKLM\...\{26A24AE4-039D-4CA4-87B4-2F03217065FF}) (Version: 7.0.650 - Oracle)

Java Auto Updater (Version: 2.1.65.20 - Oracle, Inc.) Hidden

join.me, I'm Gay! (HKCU\...\JoinMe) (Version: 1.14.0.141 - LogMeIn, Inc.)

magicJackOFF (HKCU\...\magicJack) (Version: 4.1.7574.5297 - magicJack L.P.)

Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)

Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden

Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30214.0 - Microsoft Corporation)

Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)

NVIDIA 3D Vision Driver 337.88 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.3DVision) (Version: 337.88 - NVIDIA Corporation)

NVIDIA Control Panel 337.88 (Version: 337.88 - NVIDIA Corporation) Hidden

NVIDIA Drivers (HKLM\...\NVIDIA Drivers) (Version: 1.10.62.40 - NVIDIA Corporation)

NVIDIA GeForce Experience 2.0.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.0.1 - NVIDIA Corporation)

NVIDIA Graphics Driver 337.88 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 337.88 - NVIDIA Corporation)

NVIDIA Install Application (Version: 2.1002.154.1168 - NVIDIA Corporation) Hidden

NVIDIA LED Visualizer 1.0 (Version: 1.0 - NVIDIA Corporation) Hidden

NVIDIA Network Service (Version: 1.0 - NVIDIA Corporation) Hidden

NVIDIA ShadowPlay 12.4.67 (Version: 12.4.67 - NVIDIA Corporation) Hidden

NVIDIA Stereoscopic 3D Driver (Version: 7.17.12.6514 - NVIDIA Corporation) Hidden

NVIDIA Update 12.4.67 (Version: 12.4.67 - NVIDIA Corporation) Hidden

NVIDIA Update Core (Version: 12.4.67 - NVIDIA Corporation) Hidden

NVIDIA Virtual Audio 1.2.23 (Version: 1.2.23 - NVIDIA Corporation) Hidden

Poker fukin Stars (HKLM\...\PokerStars) (Version:  - PokerStars)

Ringio (HKLM\...\Ringio.FE833F21A5E41A0F2AD24347AACCB5A50596C79D.1) (Version: v-2.4 - Ringio)

Ringio (Version: 2.4 - Ringio) Hidden

SHIELD Streaming (Version: 2.1.108 - NVIDIA Corporation) Hidden

Skype™ 6.16 (HKLM\...\{7A3C7E05-EE37-47D6-99E1-2EB05A3DA3F7}) (Version: 6.16.105 - Skype Technologies S.A.)

VLC Hack me PLZ vs 2.1.3 (HKLM\...\VLC media player) (Version: 2.1.3 - VideoLAN)

WinRAR 5.01 (32-bit) (HKLM\...\WinRAR archiver) (Version: 5.01.0 - win.rar GmbH)

Zoiper (HKLM\...\Zoiper) (Version: 3.2 - Securax LTD)

 

==================== Custom CLSID (selected items): ==========================

 

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

 

 

==================== Restore Points  =========================

 

23-07-2014 05:05:23 Windows Modules Installer

24-07-2014 15:46:34 Restore Operation

24-07-2014 20:52:25 July 25th, back to normal again

28-07-2014 13:31:48 Removed Java 7 Update 60

28-07-2014 13:37:25 Installed Java 7 Update 21

30-07-2014 17:04:37 Windows Backup

30-07-2014 21:06:50 Windows Update

30-07-2014 22:33:38 Restore Operation

30-07-2014 23:03:17 Windows Modules Installer

30-07-2014 23:33:05 Windows Update

31-07-2014 11:37:41 Removed Java 7 Update 21

31-07-2014 12:40:31 Installed Java 7 Update 65

31-07-2014 21:46:54 Installed Microsoft Fix it 50671

 

==================== Hosts content: ==========================

 

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

 

2009-07-14 10:04 - 2014-07-04 16:27 - 00000768 ____A C:\Windows\system32\Drivers\etc\hosts

127.0.0.1 localhost

 

==================== Scheduled Tasks (whitelisted) =============

 

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

 

Task: {D59E24B9-5425-4BE2-878F-1EE57E154F4D} - System32\Tasks\Microsoft\Windows\WindowsBackup\AutomaticBackup => Rundll32.exe /d sdengin2.dll,ExecuteScheduledBackup

 

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

 

 

==================== Loaded Modules (whitelisted) =============

 

2014-07-31 19:31 - 2014-06-18 15:50 - 00703800 _____ () C:\Program Files\Emsisoft Anti-Malware\fw32.dll

2014-07-28 20:45 - 2014-07-15 17:24 - 08537928 _____ () C:\Program Files\Google\Chrome\Application\36.0.1985.125\pdf.dll

2014-07-28 20:45 - 2014-07-15 17:24 - 00353096 _____ () C:\Program Files\Google\Chrome\Application\36.0.1985.125\ppGoogleNaClPluginChrome.dll

2014-07-28 20:45 - 2014-07-15 17:24 - 01732936 _____ () C:\Program Files\Google\Chrome\Application\36.0.1985.125\ffmpegsumo.dll

 

==================== Alternate Data Streams (whitelisted) =========

 

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

 

 

==================== Safe Mode (whitelisted) ===================

 

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

 

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CleanHlp.sys => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp => ""="Driver"

HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\CleanHlp.sys => ""="Driver"

 

==================== EXE Association (whitelisted) =============

 

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

 

 

==================== MSCONFIG/TASK MANAGER disabled items =========

 

(Currently there is no automatic fix for this section.)

 

MSCONFIG\Services: ALG => 3

MSCONFIG\Services: AppIDSvc => 3

MSCONFIG\Services: SensrSvc => 3

MSCONFIG\Services: SessionEnv => 3

MSCONFIG\Services: SNMPTRAP => 3

MSCONFIG\Services: TapiSrv => 3

MSCONFIG\Services: TermService => 3

MSCONFIG\Services: W32Time => 3

MSCONFIG\Services: WSearch => 3

MSCONFIG\Services: wuauserv => 3

MSCONFIG\startupreg: SunJavaUpdateSched => "C:\Program Files\Common Files\Java\Java Update\jusched.exe"

 

==================== Faulty Device Manager Devices =============

 

 

==================== Event log errors: =========================

 

Application errors:

==================

Error: (08/01/2014 06:13:04 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (08/01/2014 06:10:01 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (08/01/2014 05:50:31 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (08/01/2014 05:36:28 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (08/01/2014 03:56:51 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (07/31/2014 08:20:43 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (07/31/2014 08:17:57 PM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe) (EventID: 1) (User: )

Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]

 

Error: (07/31/2014 00:56:29 PM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )

Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

 

Error: (07/31/2014 07:44:15 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (07/31/2014 06:37:29 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

 

System errors:

=============

Error: (08/01/2014 05:48:52 AM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Cryptographic Services service failed to start due to the following error: 

%%1079

 

Error: (08/01/2014 05:34:53 AM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Cryptographic Services service failed to start due to the following error: 

%%1079

 

Error: (08/01/2014 05:33:42 AM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Cryptographic Services service failed to start due to the following error: 

%%1079

 

Error: (08/01/2014 03:55:20 AM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Cryptographic Services service failed to start due to the following error: 

%%1079

 

Error: (07/31/2014 08:41:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Cryptographic Services service failed to start due to the following error: 

%%1079

 

Error: (07/31/2014 08:41:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Cryptographic Services service failed to start due to the following error: 

%%1079

 

Error: (07/31/2014 08:41:14 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Cryptographic Services service failed to start due to the following error: 

%%1079

 

Error: (07/31/2014 08:40:39 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Cryptographic Services service failed to start due to the following error: 

%%1079

 

Error: (07/31/2014 08:40:36 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Cryptographic Services service failed to start due to the following error: 

%%1079

 

Error: (07/31/2014 08:40:35 PM) (Source: Service Control Manager) (EventID: 7000) (User: )

Description: The Cryptographic Services service failed to start due to the following error: 

%%1079

 

 

Microsoft Office Sessions:

=========================

Error: (08/01/2014 06:13:04 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (08/01/2014 06:10:01 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (08/01/2014 05:50:31 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (08/01/2014 05:36:28 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (08/01/2014 03:56:51 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (07/31/2014 08:20:43 PM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (07/31/2014 08:17:57 PM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe) (EventID: 1) (User: )

Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]

 

Error: (07/31/2014 00:56:29 PM) (Source: .NET Runtime Optimization Service) (EventID: 1103) (User: )

Description: .NET Runtime Optimization Service (clr_optimization_v2.0.50727_32) - Tried to start a service that wasn't the latest version of CLR Optimization service. Will shutdown

 

Error: (07/31/2014 07:44:15 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

Error: (07/31/2014 06:37:29 AM) (Source: WinMgmt) (EventID: 10) (User: )

Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

 

 

==================== Memory info =========================== 

 

Percentage of memory in use: 32%

Total physical RAM: 3327.23 MB

Available physical RAM: 2232.91 MB

Total Pagefile: 5825.52 MB

Available Pagefile: 4196.82 MB

Total Virtual: 2047.88 MB

Available Virtual: 1919.57 MB

 

==================== Drives ================================

 

Drive c: () (Fixed) (Total:171.29 GB) (Free:133.65 GB) NTFS

Drive e: (HD-PCTU3) (Fixed) (Total:931.51 GB) (Free:214.54 GB) NTFS

Drive l: (Z) (Fixed) (Total:294.37 GB) (Free:222.34 GB) NTFS

 

==================== MBR & Partition Table ==================

 

========================================================

Disk: 0 (MBR Code: Windows 7 or 8) (Size: 466 GB) (Disk ID: 1457E526)

Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)

Partition 2: (Not Active) - (Size=171 GB) - (Type=07 NTFS)

Partition 3: (Not Active) - (Size=294 GB) - (Type=07 NTFS)

 

========================================================

Disk: 1 (Size: 932 GB) (Disk ID: 16A1C0B4)

Partition 1: (Not Active) - (Size=932 GB) - (Type=07 NTFS)

 

==================== End Of Log ============================

Link to post
Share on other sites

That's it! abklatsch.gif

Your logs look clean to me at the moment. icon_thumb.gif

We're gonna clean up everything now and in the end I'll provide you with a list of security tips so you hopefully will not need our help anymore in the future.

My help is free for everybody.

If you want to support me fighting against malware or buy me a beer for the assistance you received, then you can consider a donation: btn_donate_SM.gif

Thank you!

Clean Upcleanupm.PNG

Now we remove all the tools we used (including their logs and quarantine folders), restore your settings and delete old and infected system restorepoints:

  • You can uninstall programs that you had to install (e.g. MBAM or ESET Onlinescanner) in the control panel if you so wish.
  • Download delfix.pngDelFix (by Xplode) and save it to your Desktop.
    • Close all running programs and start delfix.exe.
    • Make sure that all available options are checked.
    • Click on Run
    • DelFix should remove all our tools and delete itself afterwards. I don't need the log file.
  • If there is still something left you can delete it manually.
Closing security holes

Many infections happen via drive-by downloads that run unnoticed in the background while the user visits an infected website. To achieve this malware exploits security holes in installed software (e.g. browser or its plugins). Older versions of such software often have lots of known exploitable holes. Therefor it's very important to always keep your software up-to-date.

Tips

I recommend to read and follow the "16 simple and easy ways to keep your computer safe and secure on the Internet" (Link) by Lawrence Abrams.

Link to post
Share on other sites

I have no user/admin account now

 

I type in windows search to change my name, or password, nothing shows up, not even my back up log in account... 

 

Also I cannot open my  windows firewall and my anti virus is auto disabled and asking for admin user and my account is not showing up, my back up admin account is and the guest account, which I know to never have turned on

 

What's happening?

Link to post
Share on other sites

Your account has admin-privileges

 

Ran by McMillan [b](administrator[/b]) on SAHARA-PC on 01-08-2014 19:04:31 
 

Download Security Check by screen317 from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Link to post
Share on other sites

 Results of screen317's Security Check version 0.99.86  

 Windows 7 Service Pack 1 x86 (UAC is enabled)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

Emsisoft Anti-Malware   

 Antivirus up to date!   

`````````Anti-malware/Other Utilities Check:````````` 

 Java 7 Update 65  

 Adobe Flash Player 14.0.0.145  

 Google Chrome 36.0.1985.125  

````````Process Check: objlist.exe by Laurent````````  

 Emsisoft Anti-Malware a2service.exe   

 Emsisoft Anti-Malware a2guard.exe   

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C: 1% 

````````````````````End of Log`````````````````````` 
Link to post
Share on other sites

Please download fss.pngFarbar Service Scanner and run it on the computer with the issue.

  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender


    [*]Press "Scan". [*]It will create a log (FSS.txt) in the same directory the tool is run. [*]Please copy and paste the log to your reply.

 

 

 

 

 

http://www.howtogeek.com/124218/why-does-chrome-have-so-many-open-processes/
 

Link to post
Share on other sites

Farbar Service Scanner Version: 21-07-2014

Ran by McMillan (administrator) on 02-08-2014 at 00:37:47

Running from "C:\Users\McMillan\Desktop"

Microsoft Windows 7 Home Basic  Service Pack 1 (X86)

Boot Mode: Normal

****************************************************************

 

Internet Services:

============

 

Connection Status:

==============

Localhost is accessible.

LAN connected.

Google IP is accessible.

Google.com is accessible.

Yahoo.com is accessible.

 

 

Windows Firewall:

=============

 

Firewall Disabled Policy: 

==================

 

 

System Restore:

============

 

System Restore Disabled Policy: 

========================

 

 

Action Center:

============

 

 

Windows Update:

============

 

Windows Autoupdate Disabled Policy: 

============================

 

 

Windows Defender:

==============

WinDefend Service is not running. Checking service configuration:

The start type of WinDefend service is set to Demand. The default start type is Auto.

The ImagePath of WinDefend service is OK.

The ServiceDll of WinDefend service is OK.

 

 

Windows Defender Disabled Policy: 

==========================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]

"DisableAntiSpyware"=DWORD:1

 

 

Other Services:

==============

 

 

File Check:

========

C:\Windows\system32\nsisvc.dll => File is digitally signed

C:\Windows\system32\Drivers\nsiproxy.sys => File is digitally signed

C:\Windows\system32\dhcpcore.dll => File is digitally signed

C:\Windows\system32\Drivers\afd.sys => File is digitally signed

C:\Windows\system32\Drivers\tdx.sys => File is digitally signed

C:\Windows\system32\Drivers\tcpip.sys => File is digitally signed

C:\Windows\system32\dnsrslvr.dll => File is digitally signed

C:\Windows\system32\mpssvc.dll => File is digitally signed

C:\Windows\system32\bfe.dll => File is digitally signed

C:\Windows\system32\Drivers\mpsdrv.sys => File is digitally signed

C:\Windows\system32\SDRSVC.dll => File is digitally signed

C:\Windows\system32\vssvc.exe => File is digitally signed

C:\Windows\system32\wscsvc.dll => File is digitally signed

C:\Windows\system32\wbem\WMIsvc.dll => File is digitally signed

C:\Windows\system32\wuaueng.dll => File is digitally signed

C:\Windows\system32\qmgr.dll => File is digitally signed

C:\Windows\system32\es.dll => File is digitally signed

C:\Windows\system32\cryptsvc.dll => File is digitally signed

C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed

C:\Windows\system32\svchost.exe => File is digitally signed

C:\Windows\system32\rpcss.dll => File is digitally signed

 

 

**** End of log ****

Link to post
Share on other sites

No user account...see?

 

 

and what are the 15 google ports for if I have only 1 google chrome open, 1 extension on?

 

I can clean up with your help once I know i the answers.. Maybe windows search is set wrong, but I dont know why

so many ports to google is needed. Look at the length of the image name in task mgr,... looks fishy

post-170267-0-88482700-1406911959_thumb.

post-170267-0-38724000-1406912037_thumb.

post-170267-0-73578400-1406912140_thumb.

Link to post
Share on other sites

Hi, the file is clean.

https://www.virustotal.com/de/file/9b53fac8356942826b3784d89846c7b9715f09eae2ed1bd7df2f416b5eadf420/analysis/

So you can allow once.

 

 

Useraccount:

http://windows.microsoft.com/en-us/windows7/working-with-control-panel

Your logs look clean. I don't see any indication that your computer is infected.

Link to post
Share on other sites

  • Root Admin

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.